When I first joined VERT, I had little insight into enterprise networks. I'd spent several years in a helpdesk role at a college and then worked as a sys admin for an SMB. While I still don't work directly with enterprise networks, I do get to see reports that customers submit and findings that they question. It's often a surprise for me, and for the customer, to see what is running on their network. 

In recent years the attack focus has shifted to the client, with the browser and the office suite surpassing the telnet daemon and web server as the most attractive targets on a network. In my opinion, this means that certain network-based issues are often overlooked and I wanted to highlight my list of "WTF Issues" that security teams should resolve as quickly as possible. So enough with the intro, on to the first post in VERT's new "Turn That S#!T Off" Series.

SSHv1 Enabled

SSHv1 has had known serious issues for quite a while and the common message from the security community has always been, "Turn that S#!T off". If I had a wishlist of things I'd like to see disappear on a network, this would be near the top. nCircle's IP360 and PureCloud platforms will identify this as "SSHv1 Protocol Available"

Confirming SSHv1 Support
Customers are often surprised by this one because vendors tell them that SSHv1 isn't supported but IP360 tells them it is. You can easily confirm this yourself with ncat (part of nmap):

neogeo:~ treguly$ ncat wopr.test.toronto.ncircle.com 22
SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
^C

The above server will only support SSHv2 and the first 5 characters will tell you:

SSH-2.0 - Only SSHv2 is supported.
SSH-1.99 - SSHv2 and SSHv1 are both supported.
SSH-1.5 - Only SSHv1 is supported.

Note that the first 5 characters will always be SSH-1 when SSHv1 is supported. 

Disabling SSHv1
Assuming you're running OpenSSH, disabling SSHv1 is very simple:

1) Edit your sshd_config file (generally in /etc or /etc/ssh).
2) Locate the "Protocol" line (e.g. Protocol 2,1).
3) Update the line to read "Protocol 2"
4) Restart sshd

If you're dealing with an appliance, you may want to poke your vendor. They may have a patch out or a method of reconfiguring the appliance to disable SSHv1.

That's it, a simple little fix to a problem that simply shouldn't exist today. Tomorrow we'll discuss something else that's been stuck in my craw for a while, when I explain how to turn that S#!T off for SSLv2.